HIGH: Open MS-SQL Server Resolution Service Report

DESCRIPTION LAST UPDATED: 2023-12-16

DEFAULT SEVERITY LEVEL: HIGH

This report identifies hosts that have the MS-SQL Server Resolution Service running and accessible on the Internet.

These services have the potential to expose information about a client’s network on which this service is accessible and the service itself can be used in UDP amplification attacks.

You can track MS-SQL Server Resolution Service exposure on our Dashboard.

Severity levels are described here.

For more information on our scanning efforts, check out our Internet scanning summary page..

Filename(s): scan_mssql

Fields

  • timestamp
    Time that the IP was probed in UTC+0
  • severity
    Severity level
  • ip
    The IP address of the device in question
  • protocol
    Protocol that the MS-SQL response came on (usually UDP)
  • port
    Port that the MS-SQL response came from (usually 1434)
  • hostname
    Reverse DNS name of the device in question
  • tag
    Will always be mssql
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City in which the device in question resides
  • naics
    North American Industry Classification System Code
  • hostname_source
    Hostname source
  • server_name
    The ServerName field in the response — this is usually the NetBIOS name of the server
  • instance_name
    The InstanceName field in the response — this is the name of the SQL instance on the server
  • version
    Version number of the running MS-SQL / SQLExpress service
  • tcp_port
    The TCP port that you would use to connect to the MS-SQL instance
  • named_pipe
    The named pipe that the SQL server is advertising
  • response_length
    Length of the response from the MS-SQL Server Resolution Service (including packet headers)
  • amplification
    Amplification factor (This amplification is is based solely on the payload size sent and payload size received)
  • sector
    Sector of the IP

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","version","asn","geo","region","city","naics","hostname_source","server_name","instance_name","tcp_port","named_pipe","response_size","amplification","sector"
"2010-02-10 00:00:00",high,192.168.0.1,udp,1434,node01.example.com,mssql,14.0.1000.169,64512,ZZ,Region,City,0,ptr,EC2AMAZ-5EQ7HP5,DESA_BD,8391,,432,432.00,"Retail Trade"
"2010-02-10 00:00:01",high,192.168.0.2,udp,1434,node02.example.com,mssql,11.0.5058.0,64512,ZZ,Region,City,0,ptr,VMI928477,SQLEXPRESS,1433,"\\\\VMI928477\\pipe\\MSSQL$SQLEXPRESS\\sql\\query",324,324.00,
"2010-02-10 00:00:02",high,192.168.0.3,udp,1434,node03.example.com,mssql,11.0.2100.60,64512,ZZ,Region,City,0,ptr,WIN-TBLMEED2MVS,VINNS,1433,"\\\\WIN-TBLMEED2MVS\\pipe\\MSSQL$VINNS\\sql\\query",330,330.00,"Retail Trade"

Our 132 Report Types

Shadowserver uses cookies to gather analytics. This allows us to measure how the site is used and improve the experience for our users. For more information about cookies and how Shadowserver uses them, see our privacy policy. We need your consent to use cookies in this way on your device.